Deploy Micro-Agent/Sysmon via GPO
Version 1.4
Overview:
Active Directory’s Group Policy Objects can be used to push/deploy Micro-Agent and Sysmon on to end-machines (Windows computers) that are part of AD. This guide will demonstrate the necessary steps to:
· Prepare a distribution point in Active Directory (AD) for the installation package
· Prepare the deployment scripts as per environment
· Create a Group Policy Object to deploy the package & link the GPO to the appropriate Organizational Unit(s)
· Force a Group Policy update on the client computer to test the deployment
Requirements:
Following requirements should be fulfilled before using this document:
· Existing Active Directory infrastructure with defined Organizational Units (OU’s)
· End-machines (windows computers) should be part of your domain, have connectivity for receiving Group Policy updates
Document was prepared using the following Azure lab environment:
· Domain Controller: Microsoft Windows Server 2016
· End-Machines: Microsoft Windows 10 64bit
Technical Terms used interchangeably throughout this document:
· Micro-Agent: Winlogbeat
· Sysmon: Sysmon
Note: There may be minor variation in the screens and steps mentioned, if you are using different versions of Windows, but the process is generally the same.
Preparing distribution point to push the packages:
1. Copy the provided Micro-Agent package on to the Active Directory machine.
2. On Active Directory, navigate to the location where the Micro-Agent package was copied and create a read only share that can be accessible by all the end-machines.
3. Follow the below steps, to create a shared folder (distribution point) with read only access:
a. Right click and open the properties window of “Micro-Agent” folder, change to ‘Sharing’ tab and click on ‘Advanced Sharing’.
b. Within the ‘Advanced Sharing’ window, check the Option “Share this Folder” and provide the share name -> click on ‘Permissions’ underneath the comments section which opens up a new window for setting permissions for the share, set the access permission to “READ ONLY” for Everyone as shown below and apply the changes.
c. This share should be accessible by all end users via the share path like “\\<AD-Hostname>\Micro-Agent\” with Read-Only access.
Create a Group Policy Object to deploy the package:
This section details the process on how to configure Group Policy Object (GPO) and Scheduled Task required for pushing/deploying Micro-Agent/Sysmon package.
· Open ‘Group Policy Management’ console from a machine that has access to Active Directory.
1. {Windows Key} + R to open the Run dialog
2. Type “gpmc.msc” in the “Open” field
3. Click the “Ok” button
· In the (Group Policy Management console screen), select the OU you would like to link the new GPO to and create a new GPO while linking it. In our example we will link the GPO to the Domain level.
1. Expand the Forest
2. Expand the Domains OU
3. Right click on the “<Domain Name>”
4. Click on the “Create a GPO in this domain, and Link it here…” menu item.
· In the (New GPO Screen), name the GPO. This case we will be using (C)_Win_All_SysMonDeployment. Which stands for (Computer based GPO) / Windows Systems / All(Workstations and Servers) / Description of the GPO (SysMonDeployment).
1. Type in “(C)_Win_All_SysMonDeployement” in the Name field
2. Click on the “Ok” button
· In the (Group Policy Management console screen), select the newly created GPO and updated the details to disable the “User configuration settings”
1. Click on the newly created Group Policy Object
2. Click the “Details” tab in the right window pain
3. Click the “GPO Status” drop down list
4. Select the “User configuration settings disabled” menu item
5. Click the “Ok” button
· In the (Group Policy Management console screen), select the newly created GPO and edit the policy settings
1. Right click on the newly created Group Policy Object
2. Click on “Edit” in the menu list
· In the ((C)_Win_All_SysMonDeployement) screen, create a new Scheduled Task
1. Click the “Computer Configuration” menu item
2. Click the “Preferences” menu item
3. Click the “Control Panel Settings” menu item
4. Right click on the “Scheduled Tasks” menu item
5. Click on the “New” menu item
6. Click on the “Scheduled Task (At least Windows 7)”
· In the (New Task (At least Windows 7) Properties) screen, update the General settings for the new Task.
1. Select “Replace” in the “Action” drop down list
2. Type a name for this Task in the “Name” field. In this case we will type “SysMonDeployment”
3. Select the “Change User or Group…” button
4. Type “System” in the “Enter the object name to select” field
5. Press the “Check Names” button
6. Click the “Ok” button
7. Check the “Run whether user is logged on or not” radio button
8. Check the “Run with highest privileges” check box
9. Check the “Hidden” check box
10. Select “Windows® 7, Windows Server ™ 2008R2” in the “Configure for” drop down list
11. Select the “Triggers” Tab
· In the (New Task (At least Windows 7) Properties) screen, update the Triggers settings for the new Task.
1. Click on the “New…” button
2. Select “At task creation/modification” in the “Begin the task” drop down list
3. Check the “Stop task if it runs longer than” and Select “1 hour” from the drop down list
4. Check the “Activate” check box. Leave the default item, which should be the current time
5. Check the “Enabled” check box
6. Click the “Ok” button
7. Select the “Actions” tab
· In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the new Task.
1. Click on the “New…” button
2. Select “Start a program” in the “Action” drop down list
3. Type the below path and program name in the “Program/Script” field. For this instance we are running
i. C:\Windows\System32\cmd.exe
4. Type the below arguments in the “Add arguments(optional)” field. Note the path below is the path to your Network Share where the Deploy script is located. For this instance, it’s a UNC on NYCWTSTADC001.
5. Click the “Ok” button
· In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the 2nd Task.
1. Click on the “New…” button
2. Select “Start a program” in the “Action” drop down list
3. Type the below path and program name in the “Program/Script” field. For this instance, we are running
i. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4. Type the below arguments in the “Add arguments(optional)” field. Note: We are creating a log file and identifying every time the job is ran.
i. -c $('Processed Job {0} as of {1}' -f 'SysMonDeployment', $(Get-Date)) | Out-File -FilePath $('{0}\{1}_GPO_Status.log' -f $Env:TEMP, '(C)_Win_All_SysMonDeployement') -Force
ii. Note: SysMonDeployment is the name of the Scheduled Job we defined earlier
iii. Note: (C)_Win_All_SysMonDeployement is the name of the GPO we defined earlier. Make sure this is the name of your GPO so the logging make sense.
5. Click the “Ok” button
· In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the 3rd and final Task.
1. Click on the “New…” button
2. Select “Start a program” in the “Action” drop down list
3. Type the below path and program name in the “Program/Script” field. For this instance, we are running
i. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4. Type the below arguments in the “Add arguments(optional)” field. Note: We are removing the Scheduled job once it is triggered. This way when GPO runs again it will kick off the same script.
i. -c start -FilePath 'schtasks.exe' -ArgumentList '/Delete /TN "SysMonDeployment" /F
ii. Note: SysMonDeployment is the name of the Scheduled Job we defined earlier. If you change the name of the Scheduled job please change it here or the task will not be deleted.
5. Click the “Ok” button
6. Select the “Settings” tab
· In the (New Task (At least Windows 7) Properties) screen, update the Settings configuration.
1. Check the “Allow task to be run on demand” check box
2. Check the “Run task as soon as possible after a scheduled start is missed” check box
3. Check the “Stop the task it if runs longer than” check box and select “1 hour” from the drop down list
4. Check the “If the running task does not end when requested, force it to stop” check box
5. Select “Do not start a new instance” from the “If the task is already running, then the following rule applies” drop down list
6. Click on the “Ok” button
Test Deployment via GPO:
Manually push and test the GPO on one of the end-machine which should eventually deploy Micro-Agent Sysmon as per the schedule task configured earlier.
1. Logon to a specific end-machine, launch a command prompt.
2. Run “gpupdate /force” to force a Group Policy update.
3. Successful execution of “gpupdate /force” command should pull the respective group policies from the AD, and the deployment tasks for Sysmon should be available in the Task Scheduler on end-machine.
4. Upon successful execution of respective tasks, you should see following services ‘sysmon’ (or) ‘sysmon64’ installed and actively running on the end-machine.
Last updated
